Analysing packet captures with tcpstream

tcpstream is a Tcl program which takes a packet capture file as input, filters out the TCP packets, and attempts to display the payload of these packets in a readable form. It's mainly intended to help when diagnosing HTTP or SMTP problems (or any other protocol that is based on plain text: IMAP, FTP, etc.)

Note that many packet capture programs, such as tcpdump, will default to truncating the packets they save in the capture file so they actually save the packet headers but not much of the payloads. This makes tcpstream's job very hard.

To tell tcpdump to save everything in the packets, set the "snarf" size to zero as per below:

tcpdump -i en1 -nn -p -s0 -w/tmp/80.cap

tcpstream doesn't have any command-line options. It just takes the capture file name as its sole argument. If you want to display a subset of the captured packets, use tcpdump to read in the existing packet capture, apply a filter, and write out a new capture file.

This is how to invoke tcpstream:

tcpstream /tmp/80.cap